Tim Burnett

Interview with Tim Burnett

Email interview held on 22nd September 2017 – as follows between Alan Radley (questioner) and Tim Burnett (relator):

What are your thoughts on the current state of cybersecurity, both for organizations and for consumers?

It’s not that the goalposts for cyber security have moved; more that the entire game has changed so that we’re no longer playing football but now cricket, and the other side has 500 players, almost all of whom are bowling hand grenades at us (fast, medium, spin – you name it) and we’ve gone out to the middle in our football kit without pads, helmet, gloves or even a bat.

Cyber security is no longer about defence and prevention; instead it’s all about response and recovery. The perimeter at the edge of the corporate network doesn’t exist – hasn’t existed in real terms for many years, to be honest – so there is no “edge” to think about. Traditional endpoint protection – running an anti-virus program – will never be able to keep up with the number of attacks or the speed at which these are evolving. From the point when a new piece of malware is detected to there being a viable anti-virus signature takes 4-5 days, during which time your IT is vulnerable.

Security is not a technology problem that can be solved with a few bits of hardware or software; it is a business problem that needs to be addressed in the core culture of every organisation, in every type of business and at home. It’s very easy for a cyber security vendor to make unsubstantiated claims that their product or service will provide complete protection, instant compliance, etc. yet, if you scratch a little deeper, it becomes clear that they are almost as dumbfounded as the rest of us. It takes a company with more guts than most to turn around and say, “This will provide limited protection against this specific type of attack.”

Perhaps surprisingly, large organisations are potentially at greater risk than smaller ones: there is less accountability with security becoming “someone else’s problem”; the financial impact is not directly attributable to individuals; and staff will use quick fixes and bypasses to get around over-heavy corporate rules and processes, often well-intentioned (such as, emailing a document home to work on). Whereas in a small business, people know what is important, who is responsible (everyone knows that they, personally, are), what the impact of damage is and so on. SMEs are more agile, flexible, fast to move and so on. Although they can and do set up heavy, complex information security structures, big businesses have too many systems, processes, procedures, hierarchies, departments, etc. that the likelihood of a breach becomes so much greater and the time taken to detect a breach is so much longer.

For SMEs – particularly the very small businesses and sole traders – and consumers, there are often two responses: fear of the problem, and a tendency to ignore it. Both lead to a reluctance to do anything, until it’s too late. Advice is confusing and complicated yet simple measures – backing up your data to a removable drive, applying patches, running an up-to-date anti-malware product, not allowing your children to use your work PC – can prevent most incidents. That is before worrying about checking emails before you click the links, not opening attachments, being generally suspicious about anything unusual, etc.

What – in your estimation – are the reasons behind the many computer security breaches/failures that we see today?

The prime threat to any organisation is its own unwillingness to invest in cyber defence and resilience, or timely response and recovery. Major data breaches, such as TalkTalk a few years ago and Equifax recently, occur as a result of lack of investment in simple patching, updating and IT hygiene – this is a business problem, not a technology one. At the same time, the IT world has been turned on its head with changes in technology and business practices such as cloud, IoT, data analytics and mobility. We are approaching a perfect storm: a historical and ongoing lack of investment in cyber security resources (both human and technological), training and cultural change; new data protection legislation, together with a complicated and expanding array of security standards; new technologies; faster and more pervasive Internet connectivity.

Cyber attackers are a serious, properly organised business; not just some kids in their bedrooms. Unlike “proper” businesses, they work outside the law, have almost unlimited resources, only have to succeed once and the financial returns are large and immediate. Whereas the defenders are working with very limited resources (typically less than 2% of the total IT budget) and have to succeed every minute of every day against attacks from every side, including from within their own organisation.

Where do you go to find your “science” of cybersecurity?

I follow a number of people and companies on LinkedIn, although you have to remember that security vendors are trying to sell a product so treat their statements with caution, but generally they have a good focus on changing requirements.

Do you recommend a particular cybersecurity blog that our readers could follow?

Not one specific; I would recommend that people read widely and then make your own mind up.

What keeps you up at night in the context of the cyber environment that the world finds itself in?

Firstly, overall attitudes to privacy – whether within the workplace, by government authorities or individuals being very lax on their own personal data.

Secondly, new technology being pushed to market or deployed in businesses without a care for cyber security. Over the years we’ve seen things like BYOD or public cloud services such as DropBox being used by businesses; new technologies today would be IoT and “connected everything”.

—

Thank you kindly Tim Burnett for taking the time out of what must be a busy schedule to answer our questions in such a purposeful way.

Tim Burnett – Biography

Whilst information security isn’t something that people typically get excited about, I believe that that needs – and is starting – to change. I inspire others through regular speaking engagements, blog posts and social networking, as well as leading a team of dedicated security architects across a wide range of technologies. I seek to overcome barriers to change corporate culture to become security-savvy, and to deliver solutions that match the real problems that customers experience rather than simply deploying mythical “silver bullet” technology solutions.

As we see increasing numbers of corporate data breaches making the news, rising concerns about personal privacy and the threat of deliberate damage or intellectual property theft, together with worries about compliance with regulations, businesses know that they need to address their data security concerns. As an experienced senior information security consultant, I combine my knowledge of security with an understanding of business requirements and strategic direction to develop appropriate security solutions that will address these concerns.

With a broad technical background in IT, I’m comfortable talking with senior-level executives about their strategic direction and security concerns as well as relating these at a technical level, using strong presentation and documentation skills appropriate to the audience. Working in one of the world’s largest systems integrators, I have helped to create a thriving managed security services and technical consultancy organisation, leading a team that delivers solutions to major national and multi-national customers across both public and private sectors.

There may be no such thing as perfect security but, by talking with people, appreciating companies’ business strategy, requirements and risk appetite, we can start to understand the real problems and then define solutions to address them.

Share this:

Like this:

LikeLoading...

A VIRTUAL COMMUNITY OF CYBERSECURITY PRACTICE

Founding, building, and nurturing a Cybersecurity Science for everyone. We are a one-stop-shop for learning from—and contributing to—the latest findings and new scientific thinking emerging from the computer security community.

We extend a warm welcome to you, and an open invitation to get involved; no matter what your expertise level; and do contribute ideas, thoughts and experiences for the benefit of all.

SCIENCE OF CYBERSECURITY FRAMEWORK

In order to establish a logically coherent statement of basic theory, and to enable orderly progression of the same; we hereby define the Science Of Cybersecurity Framework (SCF).

Whereby, the SCF comprises all of the fundamental Cybersecurity axioms, principles, concepts, events and processes etc. The upshot is a complete characterisation of the entire subject matter of Information Security.

The purpose of the SCF is not to list, in an exhaustive fashion, every possible instance of a Cybersecurity failure/vulnerability and/or protective measure; but rather to define all of the logical elements that could possibly comprise the same. In other words, the SCF seeks to identify all of the universals of Cybersecurity, in the belief that any particulars will naturally follow.

WE NEED YOU!

Obviously development of a new science—is not the job of one person alone; but rather science can only arise, evolve and progress through consensus; and by the power of multiple brains.

Consequently, we invite members of the Cybersecurity community to get involved and contribute to this effort.

The Science of Cybersecurity – by Alan Radley (2017). Free digital edition is here, and the printed edition is on Amazon here.

Sample Reviews

Excellent read! Succinct and accurate on a subject that normally wanders into tangential discussions confusing and diffusing the goal… Radley breaks down today’s hottest topic in a way that provides reference to students as well as guidance to the more learned… I found it spot on and a fine addition to the body of work on cyber-security but specifically to the discussion of privacy within communications… I see this as a reference document for students studying cyber security as well as an excellent read for CTOs, CSOs, CISOs, and CEOs laboring over how to analyze their needs for increased security… allows you to hit the highlights or dive deeper into the subject with your many charts, diagrams, and glossary of terms.

Will no doubt be recognized as one of the seminal works on security, establishing definitions and clarity where others have dealt with assumptions… it is not very often that one is exposed to a work that is truly ground breaking in a field, but this is one of those works. Rather than expounding on the implementation of security as many do, Dr. Alan Radley astutely asks (and then suggests an answer for) the rather naive, yet deceptively complex question “What is security?”, or more precisely “How does one characterize a communication system for secure data transfer?” As Dr. Radley examines this question, the reader becomes aware that the answer is much more elusive than one first assumes.

As Dr. Radley builds a working compendium of definitions needed to examine the issue, the reader becomes more and more aware that the current vernacular is insufficient for discussing secure communication at a philosophical level, and if we cannot agree on what it means to be secure or private in thought, how can we accomplish it in act? It is here, laying the foundation of formal definition of socially secure communication, that Dr. Radley’s work is groundbreaking and will no doubt be referenced by many works to come.

As cyber education evolves to meet the pace of change in our digital world so does the need for good reference books.. a timely and spot on publication that I shall be recommending to my students; well done Dr Radley.

Professor Richard Benham – National Cyber Skills Centre, UK.

An excellent read and would definitely recommend this to our AISA members as a way to get a different perspective on security.

In a world full of privacy breaches, Radley timely develops a framework that delves into complexity of technical and human-centric factors that affect our perception of privacy and cybersecurity. I recommend this book to everyone who is interested in making our cyber world more secure.

Vitali Kremez (6/2/2016) – CyberCrime Investigative Analyst.

The book provides the reader with an accurate and objective view of the life-cycle of the exposures and vulnerabilities which are associated with the technological shadow cast over all individuals, and organisations. This is a unique piece of work… an excellent read, and deserves a place on every security professional’s bookshelf who is seeking a balanced and objective view of the current, and futuristic Cyber Security Landscape.

Professor John Walker – Nottingham Trent University.

Alan Radley makes sense of the complexities which ordinarily restrict this topic to IT people only… required reading for anyone focused on secure and private communication… What’s more, Alan’s no-nonsense approach and fearless honesty, is refreshing. I recommend this to those interested in making certain that their communication is more private, secure and resilient.

Bill Montgomery – CEO – Connect In Private.

A brilliant book! Did it make me wiser? Yes…

Pantazis Kourtis – Member of the Board of Directors at London Chapter at ISACA.

I commend this book to a wide readership. Well done Sir, more please.

Tony Collings OBE -Chairman – The ECA Group.

A very concise body of work, that belies its length for the practical application of useful data in a highly complex area… should be required reading for anyone providing third party services whereby their security claims cannot be held up without transparency. Ignore this work at your peril.

Christian Rogan – Vice President, Royal Holloway Enterprise Centre.

I highly recommend this book for individuals interested in understanding the challenges facing the security and information assurance specialist. Dr. Radley’s direct approach provides an excellent read and can enable valuable insights into an extremely complex topic such as security.

What Kind Of A Science Is Cybersecurity?

Cybersecurity is impossible to develop as a logical subject of study—without first establishing an observational science that identifies what we are dealing with in the first place.

Ergo, we become able to know what kinds of phenomena to look for, measure, model and control. Thus we define a set of Absolute Security metrics—and accordingly fully prescribe the various classes/types of Cybersecurity vulnerabilities—plus evolve truly effective countermeasures… >>

Avoid Hacking And data-Breaches With KeyMail

‘Cloud’ copies are highly vulnerable to hacking; largely because they will be around for a very long time—possibly forever—and as a result may be subject to innumerable future hacking attacks.

For Absolute Security in interpersonal communications, the KeyMail file-transfer protocol eliminates ‘cloud’ copies altogether; whereby client data transfers directly between devices. We call this Single-Copy-Send—and the upshot is that there are no vulnerable ‘third-party’ copies to attack, and hence no hacking risks… >>